LTS Secure Warning: Wannamine Malware fueled using NSA exploit Eternalblue

Cryptomining based Wannamine malware outbreak still actively attacking the windows users around the globe that using NSA exploit Eternalblue to penetrate the unpatched SMB enabled computers to gain high privileged access. Many organization still not applying the patch for Eternalblue Exploit that released by Microsoft in 2017 and the vulnerable systems are continuously targeted by cybercriminals to inject Wannamine crypto mining malware. Few months before Wannamine malware attack Open Redis servers using another remote code execution exploit to inject the crypto miner.

Technical Details

Wannamine was first discovered by Panda Security in October last year, but the malware is only just coming to the attention of the general public, thanks to a number of high profile infections. But unlike other malware variants, WannaMine is proving particularly hard to detect and block.

Impact

An initial stage of attack begins with the Eternalblue Exploitation against the unpatched SMB server and once it will be executed then new malicious process powershell.exe will starts its execution.

Attackers using various powerful obfustication techniques within the downloaded payload with base64 encoded and some text encoding.The downloaded payload is very large one and it is quite impossible to load all into an interactive ipython session because it makes hanging the most of the editors.

Researcher deobfuscated the payload they find the more PowerShell code which is used by wannamine malware to move laterally across a network.

According to cybereason research, “Before dropping the crypto miner, PowerShell script will also change the power management settings on the infected machine which helps to prevent the machine from going to sleep and maximize mining power availability.” Once the victim’s machine power settings on the machine were reconfigured, then there are hundreds of powershell.exe processes using a lot of CPU cycles and connecting to mining pool servers.

Recommended Actions

The only way to spot a WannaMine infection is by carefully monitoring the applications and services running on a computer,

As well as having a robust, modern anti-virus application installed on all your computers, it is vital that they are all routinely updated and patched to close the loopholes used by malware. The EternalBlue exploit used by WannaMine and WannaCry was patched by Microsoft in March 2017 – but many Windows users have not applied the update, leaving themselves vulnerable.

Keeping your computer up-to-date and installing updated security tools will help to block cryptocurrency malware before it can take over your computer. And as WannaMine shows – if your computer is infected, it may soon spread to other computers and devices on your network.

For more details, click on the link.